Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses

Lichtblau, Franziska; Streibelt, Florian; Krüger, Thorben; Richter, Philipp; Feldmann, Anja

doi:10.1145/3131365.3131367

Cited by 34 publications

(42 citation statements)

References 32 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Despite the knowledge of the above-mentioned attack scenarios and the costs of the damage they may incur, it has been shown that SAV is not yet widely deployed. Lichtblau et al surveyed 84 network operators to learn whether they deploy SAV and what challenges they face [16]. The reasons for not performing packet filtering include incidentally filtering out legitimate traffic, equipment limitations, and lack of a direct economic benefit.…”

Section: Introductionmentioning

confidence: 99%

“…The reasons for not performing packet filtering include incidentally filtering out legitimate traffic, equipment limitations, and lack of a direct economic benefit. The last aspect assumes outbound SAV when the deployed network can become an attack source but cannot [20,15] outbound absence yes yes Traceroute loops [18] outbound absence yes yes Passive detection [16,21] outbound both no no Our method [5] inbound both yes no be attacked itself. Performing inbound SAV protects networks from, for example, the threats described above, which is beneficial from the economic perspective.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

Korczyński

Nosyk

Lone

et al. 2020

Passive and Active Measurement

View full text Add to dashboard Cite

This paper concerns the problem of the absence of ingress filtering at the network edge, one of the main causes of important network security issues. Numerous network operators do not deploy the best current practice-Source Address Validation (SAV) that aims at mitigating these issues. We perform the first Internet-wide active measurement study to enumerate networks not filtering incoming packets by their source address. The measurement method consists of identifying closed and open DNS resolvers handling requests coming from the outside of the network with the source address from the range assigned inside the network under the test. The proposed method provides the most complete picture of the inbound SAV deployment state at network providers. We reveal that 32 673 Autonomous Systems (ASes) and 197 641 Border Gateway Protocol (BGP) prefixes are vulnerable to spoofing of inbound traffic. Finally, using the data from the Spoofer project and performing an open resolver scan, we compare the filtering policies in both directions.

show abstract

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

Korczyński

Nosyk

Lone

et al. 2020

Passive and Active Measurement

View full text Add to dashboard Cite

show abstract

“…In TCP/IP networks, an end-point can send IP packets with a forged source IP address [12,13]. This is called IP address spoofing, and has been used by attackers to launch Distributed Denial of Service (DDoS) attacks.…”

Section: Introductionmentioning

confidence: 99%

Comparative Evaluation of IP Address Anti-Spoofing Mechanisms using a P4/NetFPGA-based Switch

Gondaliya

Sankaran

Sivalingam

2020

Proceedings of the 3rd P4 Workshop in Europe

View full text Add to dashboard Cite

IP source addresses can be easily spoofed and are often deployed for launching network attacks. Several anti-spoofing mechanisms (ASMs) have been implemented in commercial routers. However, the problem still remains fully unaddressed. This paper explores the use of programmable data plane (PDP) concepts for building better ASMs. The objective of this paper is to implement some common ASMs in P4 (a PDP language), in order to understand the feasibility of P4-based routers/switches for realizing anti-spoofing functions. This paper also presents results from the P4 implementation, realized using the NetFPGA SUME hardware platform. Experimental results describe FGPA resource utilization, throughput and latency characteristics.

show abstract

“…There exist methods aimed at enumerating networks without packet filtering [1][2][3][8][9][10][11][12][13][14][15]. However, a great majority of the existing work concentrates on outbound SAV, the root of DDoS attacks [8].…”

Section: Introductionmentioning

confidence: 99%

Inferring the Deployment of Inbound Source Address Validation Using DNS Resolvers

Korczyński

Nosyk

Lone³

et al. 2020

Proceedings of the Applied Networking Research Workshop

View full text Add to dashboard Cite

This paper reports on the first Internet-wide active measurement study to enumerate networks not filtering incoming packets based on their source address. Our method identifies closed and open DNS resolvers handling requests from the outside of the network with the source address in the prefix of the tested network. The study gives the most complete picture of the inbound Source Address Validation deployment at network providers: 32,673 IPv4 ASes and 197,641 IPv4 BGP prefixes are vulnerable to spoofing of inbound traffic. CCS CONCEPTS • Networks → Network measurement; Security.

show abstract

Detection, classification, and analysis of inter-domain traffic with spoofed source IP addresses

Cited by 34 publications

References 32 publications

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

Don’t Forget to Lock the Front Door! Inferring the Deployment of Source Address Validation of Inbound Traffic

Comparative Evaluation of IP Address Anti-Spoofing Mechanisms using a P4/NetFPGA-based Switch

Inferring the Deployment of Inbound Source Address Validation Using DNS Resolvers

Contact Info

Product

Resources

About